enSilo protects against “WannaCry” and stolen NSA Tools out of the box

Just weeks after the Shadow Brokers released the NSA Tools, the world has had its first taste of just how effective threats built with these tools can be. Beginning early on May 12th, a ransomware variant using the EternalBlue exploit for Microsoft Windows, began spreading like wildfire, locking down businesses and users in more than 90 countries. (enSilo endpoint security protects customers from this exploit, and much more.)

With more than 45,000 instances of the malware detected, this new ransomware variant called “WannaCry,” targets and exploits a previously patched Microsoft SMB vulnerability. Yet in spite of there being a Microsoft Security Bulletin (MS17-010) and a patch released for the threat, the infection rates have been startling.

There have been confirmed business impacts in multiple industries including healthcare, shipping, and telecom. With big name targets such as the United Kingdom National Health Service, Federal Express, and telecom giant Telefonica all reportedly being affected.

How did this happen and why is it so widespread?

This attack is widespread for a simple reason: People patched too slowly or they can’t patch at all. Why?

  1. The vulnerability was released only recently. Just a month ago in April, the hacking group Shadow Brokers released vulnerability originally used by the NSA. The patches also came out in April, leaving very little time get apply a fix.
  2. Too many legacy systems. This exploit hits many systems. In some cases, where a system is no longer supported—including Windows XP—there is no patch.

What are the origins of this ransomware?

It is important to note that WannaCry uses EternalBlue. Which is a SMB exploit that compromises the endpoint and installs a backdoor in the kernel. SMB is the Windows file-sharing protocol. Common throughout virtually every enterprise, this protocol can be exploited by EternalBlue, which leeches on to the protocol allowing it to move throughout an organization.

This is a serious escalation in the weaponization of traditional ransomware. Most ransomware is capable of only affecting only a handful of devices within an organization, but with EternalBlue we now witness attacks that propagate throughout an organization, “walking” from share to share, compromising mission critical servers and bringing an entire enterprise to its knees.

And with the price at $300 per computer you can be this is just the first of many to use the same exploit. Making $13 million in a day is bound to bring out more of these criminals to your door.

Does enSilo block this attack?

Yes! enSilo protects against WannaCry, EternalBlue exploit and advanced ransomware out-of-the-box through our in-depth inspection of operating system instructions.

enSilo spotted the attack since it was an unmapped executable (i.e., an unrecognized or unallowed file). A floating file which is a violation of the operating system normal procedures.

wannacry-chain.png

enSilo protects against WannaCry, EternalBlue exploit and advanced ransomware out-of-the-box through our in-depth inspection of operating system instructions.

To learn more about how enSilo protects against threats like this, check out our free webinar: NSA Tools in Your Backyard, Protecting Unpatched PCs Against Nation-Grade Tools

Related Blog Posts